b'Report No. D-2007-082   April 9, 2007\n\n\n\n\n   Defense Information Systems Agency\n         Controls over the Center\n         for Computing Services\n\x0cAdditional Copies\n\nTo obtain additional copies of this report, visit the Web site of the Department of\nDefense Inspector General at http://www.dodig.mil/audit/reports or contact the\nSecondary Reports Distribution Unit at (703) 604-8937 (DSN 664-8937) or fax\n(703) 604-8932.\n\nSuggestions for Future Audits\n\nTo suggest ideas for or to request future audits, contact the Office of the Deputy\nInspector General for Auditing at (703) 604-9142 (DSN 664-9142) or fax\n(703) 604-8932. Ideas and requests can also be mailed to:\n\n                     ODIG-AUD (ATTN: Audit Suggestions)\n                     Department of Defense Inspector General\n                       400 Army Navy Drive (Room 801)\n                           Arlington, VA 22202-4704\n\x0c\x0c               Department of Defense Office of Inspector General\nReport No. D-2007-082                                                        April 9, 2007\n   (Project No. D2006-D000FG-0053.001)\n\n           The Defense Information Systems Agency Controls over\n                    the Center for Computing Services\n\n                                 Executive Summary\n\nWho Should Read This Report and Why? Department of Defense personnel who\nmanage the services provided by Defense Information Systems Agency (DISA), Center\nfor Computing Services (CS) may find this report of interest, as will other CS user\norganizations and their independent auditors. Supervisors of any part of the DoD\nInformation Assurance program may also find this report useful. This report supports the\noverall Statement on Auditing Standards No. 70 audit and describes compliance with\ngeneral and application control objectives and compliance with applicable laws and\nregulations, including the DoD Information Technology Security Certification and\nAccreditation Process and the Security Technical Implementation Guides.\n\nBackground. The DoD Office of Inspector General is implementing a long-range\nstrategy to conduct audits of DoD financial statements to comply with the Chief Financial\nOfficers Act of 1990 (Public Law 101-576), as amended, which requires agencies to\nprepare and submit to Congress audited financial statements. As part of this effort, we\nperformed a Statement on Auditing Standards No. 70 audit of CS in accordance with\ngenerally accepted government auditing standards and the American Institute of Certified\nPublic Accountants standards. CS provides computer processing for the entire range of\ncombat support functions, including transportation, logistics, maintenance, munitions,\nengineering, acquisition, finance, medicine, and military personnel readiness. With more\nthan 800,000 users, CS provides support for over 1,400 applications in 18 geographically\nseparate facilities. The reliability of general computer controls directly impacts\nindividual financial and accounting systems and feeder systems, and, ultimately, could\nimpact the ability of DoD to produce reliable and auditable financial statements.\n\nResults. Controls associated with the Security Technical Implementation Guides,\ntraining program, information assurance program, and Defense Enterprise Computing\nCenter Pacific needed improvement to ensure that information systems operated\neffectively and provided appropriate confidentiality, integrity, and availability for the\nsystems located there. Without proper general and application controls in place, DISA\nmay not safeguard data; protect computer application programs; preclude unauthorized\naccess to system software and computing facilities; help to ensure continued computer\noperation in case of unexpected interruptions; and effectively manage, operate, and\nsecure the computing environment; consequently, impacting security across the DoD\nenvironment. Specifically:\n\n       \xe2\x80\xa2   CS had ineffective processes for managing computing device configuration in\n           accordance with the DoD Security Technical Implementation Guides. DISA\n           needs to provide an effective security readiness review mechanism and\n           properly manage all vulnerabilities. See finding A of the report for detailed\n           recommendations.\n\n\n                                             i\n\x0c       \xe2\x80\xa2   DISA did not effectively and consistently monitor information assurance\n           training and system administrator certification requirements for all personnel.\n           DISA needs to improve the process of managing and tracking all training and\n           certification requirements and completions. See finding B of the report for\n           detailed recommendations.\n\n       \xe2\x80\xa2   DISA needs to establish a more comprehensive and integrated information\n           assurance program. See finding C of the report for detailed recommendations.\n\n       \xe2\x80\xa2   The general controls over Defense Enterprise Computing Center Pacific were\n           not effective. CS needs to enforce the applicable DoD and DISA policies on\n           Defense Enterprise Computing Center Pacific. See finding D of the report for\n           detailed recommendations.\n\nManagement Comments and Audit Response. The DISA Chief Information Officer\nconcurred with 2 recommendations and nonconcurred with 1 recommendation; the\nDirector, CS concurred with 20 recommendations and nonconcurred with\n1 recommendation; and the Chief, Field Security Operations concurred with\n1 recommendation. We agree with the actions proposed by the DISA Chief Information\nOfficer but request additional details on the actions. We request that the DISA Chief\nInformation Officer provide comments on the final report by May 9, 2007. See the\nFinding section of the report for a discussion of management comments and the\nManagement Comments section of the report for the complete text of the comments.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                                                         i\n\n\nBackground                                                                1\n\nObjectives                                                                3\n\nFindings\n     A.    Security Technical Implementation Guides                       4\n     B.    Training                                                       8\n     C.    Information Assurance                                         11\n     D.    Defense Enterprise Computing Center Pacific                   26\n\nAppendixes\n     A.   Scope and Methodology                                          31\n     B.   Prior Coverage                                                 35\n     C.   Sampling Approach                                              36\n     D.   STIG Compliance                                                40\n     E.   Criteria for Technical Evaluation                              44\n     F.   Acronyms                                                       46\n     G.   Report Distribution                                            47\n\nManagement Comments\n     Defense Information Systems Agency, Chief Information Office        49\n     Defense Information Systems Agency, Center for Computing Services   52\n     Defense Information Systems Agency, Field Security Operations       58\n\x0cBackground\n           The Defense Information Systems Agency (DISA) Center for Computing\n           Services (CS) provides computer processing for a wide range of combat support\n           functions, including transportation, logistics, maintenance, munitions,\n           engineering, acquisition, finance, medicine, and military personnel readiness.\n           With more than 800,000 users, DISA operates 1,400 applications in\n           18 geographically separate facilities using approximately 40 mainframes and\n           more than 3,000 servers.\n\n           CS processing facilities, which are Defense Enterprise Computing Centers\n           (DECCs), encompass 16 locations across the continental United States, as well as\n           two overseas locations, Pearl Harbor, Hawaii, and Stuttgart, Germany. CS offers\n           computer processing services for DISA-owned and customer-owned platforms.\n           Services include computer operations, data storage, systems administration,\n           security management, capacity management, systems engineering, web and portal\n           hosting, architectural development, and performance monitoring. DECC\n           personnel responsibilities include production operations, such as site operating\n           functions that directly support customer requirements, as well as technical and\n           customer support functions. The 16 continental United States DECCs are divided\n           into the following three functional designations.\n\n                  \xe2\x80\xa2    System Management Centers. The primary responsibility of each\n                       System Management Center is systems management and customer\n                       support for the mainframe and server computing environments. The\n                       System Management Centers are located in\n                       Mechanicsburg, Pennsylvania; Montgomery, Alabama; Ogden, Utah;\n                       and Oklahoma City, Oklahoma.\n\n                  \xe2\x80\xa2    Infrastructure Services Centers. The Infrastructure Services Centers\n                       perform system management for specialized fielding efforts from CS\n                       customers. The Infrastructure Services Centers are located in\n                       Columbus, Ohio; San Antonio, Texas; and St. Louis, Missouri.\n\n                  \xe2\x80\xa2    Processing Elements. Facility management, hardware support, physical\n                       security, touch labor 1 for communication devices, and touch labor for\n                       media management are the primary responsibilities of a Processing\n                       Element. The Processing Elements are located in\n                       Chambersburg, Pennsylvania; Dayton, Ohio; Denver, Colorado;\n                       Huntsville, Alabama; Jacksonville, Florida; Norfolk, Virginia;\n                       Rock Island, Illinois; San Diego, California; and\n                       Warner Robins, Georgia.\n\n           In addition to the DECCs, CS established two Communications Control Centers\n           to provide centralized network management for all DECCs. The Communications\n           Control Centers support all routing, switching, domain name servers, wide-area\n           network connectivity to DISA Network Services, and network security device\n1\n    Touch labor is the physical on-site work needed when the systems are being remotely managed.\n\n\n\n                                                     1\n\x0coperations. The Communications Control Centers are co-located with DECCs\nMontgomery and Oklahoma City.\n\nDoD Information Assurance Requirements. DoD Directive 8500.1,\n\xe2\x80\x9cInformation Assurance,\xe2\x80\x9d October 24, 2002, and DoD Instruction 8500.2,\n\xe2\x80\x9cInformation Assurance Implementation,\xe2\x80\x9d February 6, 2003, provide the baseline\nfor the DoD Information Assurance (IA) Program and lay out five essential\ncompetencies to ensure a successful risk management program. The five essential\ncompetencies are the ability to:\n\n      \xe2\x80\xa2   assess security needs and capabilities,\n      \xe2\x80\xa2   develop a purposeful security design or configuration that adheres to a\n          common architecture and maximizes the use of common services,\n      \xe2\x80\xa2   implement required controls or safeguards,\n      \xe2\x80\xa2   test and verify systems, and\n      \xe2\x80\xa2   manage changes to an established baseline in a secure manner.\n\nThe DoD Instruction 8500.2 defines mission assurance categories (MAC) and\nconfidentiality levels. The MAC level reflects the importance of information\nrelative to the achievement of DoD goals and objectives, particularly the\nwarfighter combat mission. The MACs are the basis for determining availability\nand integrity control requirements. The confidentiality level is primarily used to\nestablish acceptable access factors, such as requirements for individual security\nclearances or background investigations, access approvals, and need-to-know\ndeterminations. The confidentiality level is also used to establish interconnection\ncontrols and approvals and acceptable methods by which users may access a\nsystem, including intranet, Internet, and wireless access. The DoD Security\nTechnical Implementation Guides (STIGs) are written for MAC II Sensitive\nsystems. The MAC II Sensitive systems handle information that is important to\nthe support of deployed and contingency forces and the loss, misuse, or\nunauthorized access to or modification of the information that could adversely\naffect national interest or Federal programs.\n\nControls. Information technology (IT) controls are divided into two types of\ncontrols, general and application. General controls are the policies and\nprocedures that apply to all or a large segment of an entity\xe2\x80\x99s information systems\nand help to ensure proper operation. Some primary objectives for general\ncontrols include safeguarding data, protecting computer application programs,\nprecluding unauthorized access to system software, and helping to ensure\ncontinued computer operation in case of unexpected interruptions. Application\ncontrols are directly related to individual computerized applications. These\ncontrols help ensure that transactions are valid, properly authorized, and\ncompletely and accurately processed and reported. General and application\ncontrols must be effective to help ensure the reliability, confidentiality, and\navailability of critical automated information.\n\n\n\n\n                                     2\n\x0cObjectives\n    The overall audit objective was to evaluate whether CS implemented controls to\n    ensure that its systems and processes were secure and complied with significant\n    applicable guidance and requirements. The objective of the audit was to\n    determine whether (1) DISA general controls over the CS are adequately\n    designed and effective, (2) general and application controls for internal\n    applications that support CS management are adequately designed and effective,\n    and (3) CS is in compliance with applicable Federal and DoD IT and IA policies.\n    See Appendix A for a discussion of the scope and methodology of our review.\n    See Appendix B for prior coverage related to the objectives.\n\n\n\n\n                                       3\n\x0c                     A. Security Technical Implementation\n                        Guides\n                     The CS had ineffective processes for managing computing device\n                     configuration in accordance with the DoD STIGs. Specifically, the\n                     quality assurance process for the Security Readiness Review (SRR) toolkit\n                     was ineffective, CS did not properly manage all vulnerabilities, and DISA\n                     was still in the process of implementing several recommendations from\n                     previous reports. Non-compliance with the STIGs increases the risk of\n                     losing data confidentiality, system integrity, and system availability.\n\n\nSecurity Configuration Guidelines\n           DoD Directive 8500.1 requires that all IA and IA-enabled IT products\n           incorporated into DoD information systems be configured in accordance with\n           DoD-approved security configuration guidelines. The Field Security Operations\n           (FSO) develops system configuration guidelines, which are called the STIGs.\n           The STIGs have become the foundation of translating the DoD IA requirements\n           into technology-specific requirements.\n\n           All DISA assets are to be configured in accordance with the STIGs. The\n           \xe2\x80\x9cMandatory Information Assurance Guidance, DISA Computing Services\n           Operations Policy Letter CS 05-09,\xe2\x80\x9d August 31, 2005, establishes the minimum\n           STIG compliance requirements for initial connection to the DoD network. Prior\n           to system connection, a SRR must be performed in which the system is checked\n           against manual procedures, automated scripts, and the FSO vulnerability scanning\n           tool. The results from these assessments are uploaded into the Vulnerability\n           Management System (VMS).\n\n\nSTIG Compliance\n           The CS had ineffective processes for ensuring and managing computing device\n           configuration in accordance with the DoD STIGs. We used a statistical sample of\n           computing devices, to test for STIG compliance and used the minimum system\n           setting requirements established by the Mandatory Information Assurance\n           Guidance to determine the pass or fail of the computing devices. The Mandatory\n           Information Assurance Guidance requires that all Category I 2 findings be closed\n           and that minimum closure rates be based on the operating system for Category II 3\n           findings. Table 1 contains the minimum closure rate for Category II findings.\n\n2\n    Category I findings are vulnerabilities that may result in a total loss of information and that provides an\n    unauthorized person or software immediate access into a system, gains privileged access, bypasses a\n    firewall, or results in a denial of service.\n3\n    Category II findings are vulnerabilities that provide information that has a high potential of giving access\n    to an unauthorized person, or provide an unauthorized person the means to circumvent security controls.\n\n\n\n                                                         4\n\x0c                 Table 1. Category II Minimum Closure Rate\n                 Operating System        Minimum Closure Rate\n               Network                          90%\n               IBM Mainframe                    85%\n               UNIX                             85%\n               Windows                          90%\n\n    CS did not have effective processes to consistently or completely configure\n    computing devices in accordance with STIGs. The following devices did not\n    meet the minimum closure rates:\n\n           \xe2\x80\xa2   All 19 of the IBM Mainframe,\n           \xe2\x80\xa2   7 of 15 Network,\n           \xe2\x80\xa2   5 of 46 UNIX, and\n           \xe2\x80\xa2   36 of 52 Windows devices.\n\n    For reporting purposes, we are only including results from the devices that we\n    have performed substantive testing. Therefore, the total number of devices in the\n    body of the report tested will differ from the total number used for statistical\n    projection. See Appendix C for additional details on sampling approach and\n    results.\n    In addition, we identified noncompliant trends in password and account\n    management, system permissions, security settings, and baseline comparison.\n    Many of these issues were identified in prior audit reports. See Appendix D for\n    details on specific STIG-noncompliant items.\n\n\nConfiguration Compliance Management\n    The quality assurance process for the SRR toolkit was ineffective, CS did not\n    properly manage all vulnerabilities, and DISA was still in the process of\n    implementing several recommendations from previous audit reports. The lack of\n    effective Windows and UNIX scripts hampers the ability of system administrators\n    (SAs) to effectively manage security over computing devices and to adequately\n    assess compliance with the STIGs. Additionally, the lack of visibility over the\n    total number of vulnerabilities at the DECCs decreases DISA management\xe2\x80\x99s\n    awareness of the actual security posture across DISA. Finally, without fully\n    implementing prior year recommendations, there remains an increased risk of\n    losing data confidentiality, system integrity, and system availability.\n\n    System Readiness Review Toolkit. The quality assurance process for the SRR\n    toolkit released by FSO was not effective. The FSO develops scripts to test STIG\n    compliance for various Windows and the UNIX devices on a quarterly basis.\n    Once the FSO develops the scripts, the Systems Support Office (SSO)\n    Montgomery, in conjunction with DECC Montgomery, performs a quality\n\n\n                                        5\n\x0c           assurance test of the Windows and UNIX scripts. The SSO Montgomery\n           provides feedback to the FSO on the script issues identified during its quality\n           assurance test and maintains issue logs. These issues identified for the UNIX\n           script ranged from false positives and negatives, script syntax errors, and logic\n           errors. The severity of these issues ranged from Category I to Category III. 4\n\n           Based on the quality assurance test results, the FSO addresses as many of the\n           identified issues as possible. After the FSO addresses the issues, the FSO sends\n           the scripts back to the SSO Montgomery for customization. Once the scripts are\n           customized for the DECCs, the SSO Montgomery releases the scripts to the\n           DECCs. However, the customized scripts may still contain unresolved issues\n           identified during the quality assurance test. For example, the quality assurance\n           test log showed 50 outstanding UNIX script issues as of April 6, 2006. The FSO\n           was not able to address all issues before releasing the scripts to the DECCs. The\n           FSO needs to improve the quality assurance process to resolve the script issues\n           prior to release.\n\n           Vulnerability Management. DISA did not effectively manage all\n           vulnerabilities. The VMS reports on the security weaknesses and the associated\n           corrective actions through Plan of Action and Milestones (POA&M) reports,\n           which support the Federal Information Security Management Act of 2002\n           reporting requirements. The POA&M reports are used to identify and monitor IT\n           security-related programmatic and system-level weaknesses found in programs\n           and systems and serves as a baseline for assessing the maturity of the DoD IT\n           security program. DISA prepared the high-level POA&M reports based on\n           records maintained in the VMS. The POA&Ms are associated with each\n           vulnerability, however, VMS did not include vulnerabilities identified by the\n           DECC during self-assessments. Therefore, DISA may not have all the detailed\n           information to provide aggregate POA&M reporting.\n\n           Process Improvement. During our audit, DISA was in the process of fully\n           implementing recommendations from our previous audit reports. In prior reports,\n           we recommended that the Director, CS develop a program to familiarize the SAs\n           with their specific roles in maintaining a secure computing environment,\n           including: a) specific STIG requirements that the SAs must comply with and b)\n           specific guidance on how to manually test STIG requirements not tested by\n           automated scripts. The FSO took over the responsibility of the SA Certification\n           Program, but had not completed the training curriculum. DISA expects\n           completion of this training by July 31, 2007.\n\n           Additionally, we recommended that the Director, CS disseminate and require the\n           use of automated tools such as the Secure Configuration Compliance Validation\n           Initiative and the Secure Configuration Remediation Initiative. As of\n           December 4, 2006, CS was using the DoD enterprise solution of the Secure\n           Configuration Compliance Validation Initiative and the Secure Configuration\n           Remediation Initiative to implement recommendations in the following areas:\n           passwords, services and protocols, peripheral devices, and configuration settings.\n           However, CS does not expect to have them fully implemented until\n           December 31, 2007.\n4\n    Category III findings are vulnerabilities that provide information that could lead to unauthorized access.\n\n\n\n                                                        6\n\x0cRecommendations, Management Comments, and Audit\n  Response\n    A.1. We recommend that the Chief, Field Security Operations improve the\n    quality assurance process to ensure that script issues are resolved and inform\n    users of any unresolved issues or noncompliance with Security Technical\n    Implementation Guide requirements.\n\n    Management Comments. The Chief, FSO concurred and stated that the FSO\n    had taken proactive measures and implemented changes in the security tool\n    development and release process. In addition, the FSO engaged the Joint\n    Integration Testing Center to perform independent testing of the Gold Disk for the\n    remainder of the FY 2007 releases and planned to expand this effort to include the\n    FSO-developed scripts in FY 2008, based on availability of funding.\n\n    A.2. We recommend that the Director, Defense Information Systems Agency\n    include all vulnerabilities, including those identified during self-assessments,\n    with the appropriate Plan of Action and Milestone in the Vulnerability\n    Management System.\n\n    Management Comments. The DISA Chief Information Officer and the\n    Director, CS concurred. The Director, CS provided additional information\n    indicating that DISA is in the process of implementing the DoD IA tools for the\n    Information Assurance Vulnerability Alert and STIG compliance. He expects to\n    implement the DoD IA tools by December 31, 2007.\n\n    Audit Response. Although the DISA Chief Information Officer and Director, CS\n    concurred with the recommendation, implementing the DoD IA tools will not\n    adequately ensure that vulnerabilities identified during self-assessments will be\n    included in the Vulnerability Management System with the appropriate POA&M.\n    Therefore, we ask that the DISA Chief Information Officer provide additional\n    comments in response to the final report identifying specific actions that will\n    account for vulnerabilities identified during self-assessments and the related\n    POA&M.\n\n\n\n\n                                        7\n\x0c           B. Training\n           DISA did not effectively and consistently monitor IA Awareness training\n           and SA certification requirements for all personnel because DISA had\n           multiple organizations tracking training and certification completions.\n           Without effective and consistent monitoring of training and certification\n           activities, DISA is at risk that access to sensitive information may be\n           inappropriately granted and DISA has little assurance that all SAs have\n           the proper credentials to effectively manage the systems.\n\n\nTraining Requirements\n    DISA provides training and certification activities to personnel. DoD\n    Directive 8570.1, \xe2\x80\x9cInformation Assurance Training, Certification, and Workforce\n    Management,\xe2\x80\x9d August 15, 2004, requires that:\n\n          \xe2\x80\xa2   all authorized users of DoD information systems receive initial IA\n              Awareness orientation as a condition of access and thereafter must\n              complete annual IA Awareness training,\n\n          \xe2\x80\xa2   privileged users and IA managers be fully qualified, trained, and\n              certified to DoD baseline requirements to perform their IA duties,\n\n          \xe2\x80\xa2   the status of the DoD Component IA certification and training be\n              monitored and reported as an element of mission readiness and as a\n              management review item, and\n\n          \xe2\x80\xa2   the heads of DoD Components identify, document, and track IA\n              personnel certifications and certification status.\n\n\nTraining Documentation\n    DISA did not effectively and consistently monitor IA Awareness training and SA\n    certification requirements for all personnel. We selected a judgmental sample of\n    168 training records which show completion of IA Awareness training. Of the\n    168 records, DISA could not provide personnel training records for 26 of the\n    sample items. See Table 2 for the details.\n\n\n\n\n                                        8\n\x0c                    Table 2. IA Awareness Training Record\n                                        Missing       Personnel\n                      Location          Record        Requested\n                  Columbus                 0              4\n                  Headquarters             0              9\n                  Mechanicsburg           23             80\n                  Montgomery               0             17\n                  Ogden                    0             41\n                  Oklahoma City            0             11\n                  Pacific                  1              1\n                  San Antonio              0              3\n                  St. Louis                2              2\n                  Total                   26             168\n\n     Additionally, we selected a judgmental sample of 112 SA Certification training\n     records. The FSO could not provide records for 25 of the 112 SAs to show\n     completion of certifications. See Table 3 for the details.\n\n                   Table 3. SA Certification Training Record\n                                        Missing         SAs\n                      Location          Record        Sampled\n                   Columbus                   0          14\n                   Mechanicsburg             21          23\n                   Montgomery                 4          23\n                   Ogden                      0          12\n                   Oklahoma City              0          38\n                   San Antonio                0           1\n                   St. Louis                  0           1\n                   Total                     25          112\n\n\nTraining and Certification Monitoring\n     DISA used three organizations to document and track IA Awareness training and\n     SA certification and each of these organizations used different systems. The\n     Chief Information Office and Manpower, Personnel, and Security were tracking\n     IA Awareness training using two separate systems, and the FSO was tracking the\n     SA certification activities using a spreadsheet. The Chief Information Office used\n     the Training Notification and Tracking System, while Manpower, Personnel, and\n     Security used the Corporate Management Information System to track IA\n\n\n                                         9\n\x0c    Awareness training. In addition, both of these systems were being replaced by\n    the Washington Headquarters Services Learning Management System and the\n    DISA Online Training System, respectively.\n\n    The FSO did not have an effective system to monitor and track SA certification\n    compliance. Instead, the FSO used a spreadsheet to monitor compliance.\n    Currently, the FSO is developing a system called the DoD IA Learning Center.\n    The mission of the DoD IA Learning Center is to establish and maintain the\n    capability to deliver and track IA-related training to the DoD community through\n    a standard web browser coming from a .MIL domain. Specifically, the DoD IA\n    Learning Center will be able to track course information, training registration and\n    completion, and the capability of reporting to multiple databases.\n\n    With multiple organizations using multiple systems to track training and\n    certification activities, CS cannot effectively or consistently monitor individual\n    training and certification requirements and completion. As a result, some users\n    may not receive the required IA Awareness training, users may not fully\n    understand their security responsibilities, DISA would have little assurance that\n    all SAs have the proper credentials to effectively manage the systems, and access\n    to sensitive information may be inappropriately granted.\n\n\nRecommendations and Management Comments\n    B. We recommend that the Director, Defense Information Systems Agency\n    designate an organization to centrally manage and track all training and\n    certification requirements and completions.\n\n    Management Comments. The DISA Chief Information Officer concurred and\n    stated that DISA issued a policy on March 2, 2007, designating the Manpower,\n    Personnel, and Security Directorate as the organization to centrally manage and\n    track all training.\n\n\n\n\n                                        10\n\x0c           C. Information Assurance\n           While DISA has made improvements in its overall IA program, additional\n           improvements are still needed in the following areas:\n\n                  \xe2\x80\xa2   security documentation,\n                  \xe2\x80\xa2   audit trails,\n                  \xe2\x80\xa2   host-based intrusion detection,\n                  \xe2\x80\xa2   public domain software,\n                  \xe2\x80\xa2   logical and physical access,\n                  \xe2\x80\xa2   incident handling,\n                  \xe2\x80\xa2   configuration management,\n                  \xe2\x80\xa2   asset management, and\n                  \xe2\x80\xa2   contingency plans.\n\n           CS had not fully implemented Federal, DoD, and DISA policies. Until CS\n           effectively implements an IA program that fully complies with DoD and\n           DISA policy, there is an increased risk to the confidentiality, integrity, and\n           availability of the applications operating in the DECCs.\n\n\nInformation Assurance Requirements\n    DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance (IA) Implementation,\xe2\x80\x9d\n    February 6, 2003, establishes security requirements that apply to the definition,\n    configuration, operations, interconnection, and disposal of DoD information\n    systems. The IA controls developed under these requirements form a\n    management framework for allocating, monitoring, and regulating IA resources\n    that is consistent with Federal guidance provided in Office of Management and\n    Budget (OMB) Circular No. A-130, \xe2\x80\x9cSecurity of Federal Automated Information\n    Resources,\xe2\x80\x9d November 28, 2000. OMB Circular A-130 requires that agencies\n    implement and maintain an information security program to ensure that adequate\n    security is provided for agency information that is collected, processed,\n    transmitted, stored, or disseminated in general support systems and major\n    applications.\n\n\nSecurity Documentation\n    Security documentation, such as the System Security Authorization Agreement\n    (SSAA), security plans, authority to operate, and Service Level Agreement\n    (SLA), within CS was not consistently developed, approved, maintained, and\n    updated. Without complete, accurate, and current security documentation, CS\n    increases the risk of implementing inadequate security controls, having operating\n\n\n                                        11\n\x0csystems with risks above the accepted level, and failing to address customer\nrequirements.\n\nSystem Security Authorization Agreement. CS did not consistently develop,\nmaintain, and update the SSAA. The SSAA is a formal agreement between the\nDesignated Approving Authority (DAA), the certifying authority, the IT system\nuser representative, and the program manager. It is used throughout the entire\ncertification and accreditation process and the DAA makes the decision to grant\nan approval to operate based on the information contained in the SSAA. The\ncertification process is a comprehensive evaluation of the technical and\nnon-technical security features of an information system or site. The\naccreditation is a formal declaration by the DAA that an information system or\nsite is approved to operate in a particular security mode using a prescribed set of\nsafeguards at an acceptable level of risk.\n\nDECCs Columbus and Oklahoma City did not update their SSAAs to reflect the\nchanges resulting from the CS transformation that occurred during FYs 2004 and\n2005. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\nCertification and Accreditation Process (DITSCAP),\xe2\x80\x9d December 30, 1997,\nrequires that the SSAA be modified to reflect new changes when new design\nrequirements emerge or existing requirements are modified. Because of the\ndynamic nature within the CS environment and the continuous changes in\ntechnology, CS management needs to constantly reassess the adequacy and\ncurrency of the SSAAs. Without current and complete SSAAs, the CS increases\nthe risk of having inadequate security controls and being noncompliant with DoD\npolicies.\n\nDECCs Columbus, Oklahoma City, and Pacific did not identify site criticality\n(MAC level) in their SSAAs because the CS did not prepare the SSAAs to\ninclude all the DoD Instruction 5200.40 requirements. The Instruction requires\nthat the SSAA identify the criticality and the acceptable risk of the site in meeting\nthe mission responsibilities. CS may not identify and implement proper security\ncontrols without the site criticality identified in the SSAAs.\n\nSecurity Plans. DoD Instruction 8500.2 requires that a security plan be\nestablished that describes the technical, administrative, and procedural IA\nprogram and policies and identifies all IA personnel and specific IA requirements\nand objectives. A security plan documents an overview of the information\nsecurity requirements and describes the security controls in place or planned for\nmeeting those requirements. CS did not consistently develop, maintain, and\nupdate the security plans. Specifically, DECC Pacific did not develop an\nadequate security plan. DECC Pacific used an Information System Security\nPolicy as its security plan which did not contain the required elements of a\nsecurity plan. In addition, the DECC Columbus security plan did not reflect the\ncurrent functional description after the CS transformation. OMB Circular A-130\nrequires that the security plan be updated as necessary. Since CS operates in a\ndynamic environment and the technology is constantly changing, CS management\nneeds to constantly reassess the adequacy and currency of the security plans.\nWithout current and complete security plans, CS increases the risk of having\ninadequate security controls and being noncompliant with DoD policies.\n\n\n\n                                     12\n\x0c     Authority to Operate. The DAA did not approve the authority to operate based\n     on timely information. Specifically, DECCs Denver and Jacksonville did not\n     receive an authority to operate in a timely manner; 8 months after their SSAAs\n     were reviewed and signed. This occurred because the DAA did not timely sign\n     the accreditation memo. Outdated, incomplete, and inaccurate information in the\n     SSAA may hinder the DAA decision-making process and increase the likelihood\n     that systems with risks above the accepted level may be approved to operate.\n     Therefore, DISA needs to improve the process to ensure that the accreditation\n     decisions are made in a timely manner.\n\n     Service Level Agreements. DoD Instruction 8500.2 requires that outsourced IT\n     services explicitly address Government, service provider, and end user IA roles\n     and responsibilities. CS did not ensure that customers identify relevant IA\n     requirements during the SLA process to protect systems at the required levels.\n     The SLA is the agreement between the customer and CS on the level of support\n     that CS will provide and the expectations of the customer. None of the 45 SLAs:\n\n            \xe2\x80\xa2   identified the MAC level for customer assets and related applications,\n\n            \xe2\x80\xa2   identified the data disposition and sharing requirements, or\n\n            \xe2\x80\xa2   indicated customer acceptance in the form of a signature.\n\n     The template used to generate the SLAs did not require the MAC level, data\n     disposition and sharing requirements. In addition, CS did not require their\n     customers to sign the SLA. As a DoD service provider for IT services, CS needs\n     to have a clear understanding of its roles and responsibilities, as well as those\n     responsibilities of the customer for each individual application and system.\n     Without addressing the MAC levels and data disposition and sharing\n     requirements, CS may not implement appropriate system settings in accordance\n     with user requirements, which could lead to a higher level of risk. Without\n     customer signatures, CS cannot execute the agreement to provide\n     customer-requested services or hold customers accountable for expenses incurred.\n\n\nAudit Trails\n     CS did not implement effective controls over the creation, review, and security of\n     audit logs. We reported this in our prior year report. Specifically, the audit\n     function was not enabled to create audit logs, audit logs were not reviewed, and\n     audit logs were not properly protected. Audit logs are critical to providing\n     information related to unauthorized and suspicious activities.\n\n     UNIX and Windows system auditing was not enabled in accordance with the\n     DoD STIGs. Ten out of 46 UNIX servers failed to capture the required auditable\n     events. The UNIX STIG requires logging all successful and unsuccessful system\n     accesses, unauthorized file access attempts, and system startup and shutdown.\n     Thirteen out of 31 Windows 2000 systems were not configured to audit access to\n\n\n\n\n                                         13\n\x0c          global system objects and resources. The Windows STIG requires that access\n          events to files, folders, and registry keys be audited. 5\n\n          DECCs Montgomery, Ogden, St. Louis, and San Antonio did not regularly\n          monitor and analyze audit logs in accordance with DoD policy. DoD\n          Instruction 8500.2 requires that audit records from all available sources be\n          regularly reviewed for indications of inappropriate or unusual activities, and that\n          tools be available for the review of audit records and for report generation.\n\n          Ten of the 132 systems did not have proper permission settings to protect the\n          audit logs. Specifically, ten Windows devices were improperly configured. DoD\n          Instruction 8500.2 requires that the contents of audit logs be protected against\n          unauthorized access, modification, or deletion. The Windows 2003/XP/2000\n          Addendum requires that only members of the Auditor Group have full access\n          privileges to Windows audit logs. Full access privileges allow an individual to\n          read, modify, and delete the contents of the audit logs.\n\n          Auditing was not enabled and audit logs were not reviewed because information\n          captured by the system logs was voluminous and the sites did not have automated\n          tools to effectively and efficiently review all the logs. Audit log files were not\n          protected because CS personnel were unaware that some permission settings were\n          incorrectly set. Not capturing and reviewing critical system events on a regular\n          basis increases the risk that inappropriate access or activity may not be detected.\n          In addition, unprotected audit logs can be exposed to unauthorized alteration, and\n          exploited to hide unauthorized or suspicious activities.\n\n          This condition was previously reported in DoD IG Report Number D-2006-086,\n          \xe2\x80\x9cReport on General and Application Controls at the Defense Information Systems\n          Agency, Center for Computing Services,\xe2\x80\x9d May 18, 2006. We recommended that\n          DISA implement consistent procedures across the entity to create, monitor,\n          review, protect, and maintain CS system audit trails. Specifically, DISA should\n          back up audit trails to a different media, maintain the audit trails for at least\n          1 year, and configure permission settings correctly. We also recommended that\n          DISA provide a standard set of auditing tools. DISA is currently reviewing\n          various solutions and plans to begin the acquisition of the auditing tool in late\n          FY 2007. While a tool or a set of tools will greatly improve the data analysis\n          portion of the recommendation, DISA will not be able to analyze any breach of its\n          systems if the audit trail does not exist or is not adequately protected. Therefore,\n          the recommendations remain open, and we are not making any new\n          recommendations.\n\n\nHost-Based Intrusion Detection\n          CS did not deploy host-based intrusion detection system (HIDS) software on all\n          19 Windows 2003, 20 of 31 Windows 2000, and 14 of 48 UNIX systems. HIDS\n          monitors a system or applications log files. HIDS responds with an alarm or a\n\n5\n    The Windows STIG encompasses The Windows 2003/XP/2000 Addendum and the various National\n    Security Agency Guides to Securing Microsoft Windows.\n\n\n\n                                               14\n\x0c    countermeasure when a user attempts to gain access to unauthorized data, file, or\n    services. DoD Instruction 8500.2 requires that HIDS be deployed for all major\n    applications and for network management assets such as routers, switches, and\n    domain name servers. The Windows STIG requires the Information Assurance\n    Manager (IAM) to ensure DoD servers use HIDS.\n\n    This condition was previously reported in DoD IG Report Number D-2006-030,\n    \xe2\x80\x9cReport on Diagnostic Testing at the Defense Information Systems Agency,\n    Center for Computing Services,\xe2\x80\x9d November 30, 2005. We recommended that the\n    Director, CS identify all assets without HIDS and implement HIDS as required.\n    The Director, CS concurred with the finding and stated that HIDS would be\n    implemented DoD-wide once the DoD IA Work Group publishes guidance.\n    According to CS management, DISA awarded a contract to implement a\n    DoD-wide HIDS on March 31, 2006. However, the new DoD-wide HIDS will\n    not be fully implemented until December 2007. Therefore, this recommendation\n    remains open, and we are not making any new recommendations.\n\n\nPublic Domain Software\n    Thirty-six of 57 computers judgmentally sampled contained unauthorized public\n    domain or personal software. See Table 4 for details. DoD Directive 8500.1\n    requires that public domain software products and other software products with\n    limited or no warranty, such as those commonly known as freeware or shareware,\n    should only be used in DoD information systems to meet compelling operational\n    requirements. Such products must be thoroughly assessed for risk and accepted\n    for use by the responsible DAA.\n\n                        Table 4. Unauthorized Software\n                                    Devices with      Devices\n                    Location        Unauthorized      Sampled\n                                      Software\n                 Columbus                  0               3\n                 Mechanicsburg            15              15\n                 Montgomery                1              10\n                 Ogden                    11              16\n                 Oklahoma City             4               5\n                 San Antonio               2               5\n                 St. Louis                 2               2\n                 Pacific                   1               1\n                 Total                    36              57\n\n    As part of the CS transformation, CS management began centralizing the local\n    area networks. This centralization was called the Administrative Local Area\n    Network (Admin LAN). One of the goals for the Admin LAN was to standardize\n\n\n                                        15\n\x0c     end user desktop and laptop software; therefore, CS was waiting for the\n     implementation of the Admin LAN desktop management capabilities. The use of\n     unauthorized public domain and personal software increases the risk of\n     introducing vulnerabilities to the DoD computing environment.\n\n     This condition was previously reported in DoD IG Report Number D-2006-086.\n     We recommended that DISA develop a process to ensure that unapproved public\n     domain software is not installed, to include regular inspection of the workstations.\n     The Director, CS concurred with the finding and stated CS had developed a\n     policy to ensure that public domain software products are not installed on CS\n     systems. This policy includes removing privileged user rights from workstations\n     and monitoring through the implementation of the Admin LAN. However, the\n     monitoring feature within the Admin LAN will not be fully implemented until\n     September 2007. Since we found public domain software was still installed on\n     CS computing devices, this recommendation remains open, and we are not\n     making any new recommendations.\n\n\nLogical and Physical Access\n     Controls over the following processes for remote logical access and physical\n     access can be improved:\n\n            \xe2\x80\xa2 remote access authorization,\n            \xe2\x80\xa2 remote access two-factor authentication,\n            \xe2\x80\xa2 computer facility access authorization,\n            \xe2\x80\xa2 computer facility two-factor authentication, and\n            \xe2\x80\xa2 physical security policy.\n     DISA needs adequate logical and physical access controls to prevent unauthorized\n     individuals from gaining access to sensitive information and CS facilities.\n     Remote Access Authorization. CS did not maintain proper authorization for\n     remote access through a dial-up access. DoD Instruction 8500.2 requires that\n     remote access for privileged functions be discouraged, permitted only for\n     compelling operational needs, and strictly controlled. The Network Infrastructure\n     STIG requires that the IAM develop a policy for secure remote access to the site\n     and that an agreement, signed by the remote user, contains the general security\n     requirements and practices and type of access required by the user. Of 180 users\n     sampled, 17 did not have the appropriate authorization for remote access. Table 5\n     contains the summary of remote access reviewed by location.\n\n\n\n\n                                          16\n\x0c                               Table 5. Remote Access Agreement\n                     Location 6        Unauthorized             User Access\n                                         Access             Agreements Sampled\n                 Mechanicsburg              4                       45\n                 Ogden                      6                       45\n                 Oklahoma City              7                       90\n                 Total                     17                       180\n\n\n          The 4 users at DECC Mechanicsburg had unauthorized access to the dial-up\n          service and the 13 users at DECCs Ogden and Oklahoma City did not have\n          remote access agreements on file. This occurred because CS did not fully\n          implement the access authorization process. Without proper access authorization\n          procedures, CS has little assurance over the number of individuals having access\n          to its systems.\n\n          Remote Access Two-Factor Authentication. CS did not implement two-factor\n          authentication for remote access. Specifically, DECCs Mechanicsburg, Ogden,\n          and Oklahoma City did not use two-factor authentication for remote dial-up\n          access. The Network Infrastructure STIG requires that the Information Assurance\n          Officer (IAO) or Network Security Officer ensure that all remote users are\n          required to use two-factor authentication to access the network. Two-factor\n          authentication is accomplished by using two of the following: user identification,\n          password, or token. DECCs did not use two-factor authentication for remote\n          logical access because the centralization of remote access, as a feature of the\n          Admin LAN, had not been fully implemented. Without a strong authentication\n          mechanism, CS increases the risk that unauthorized individuals may gain access\n          to sensitive information.\n\n          Computer Facility Access Authorization. CS did not maintain proper\n          authorization for computer facility access. From a sample of 566 personnel,\n          34 individuals did not have the appropriate authorization to access the computer\n          facility. Table 6 contains the summary of computer facility access reviewed by\n          location.\n\n\n\n\n6\n    DECC Montgomery does not provide remote access through a remote access server. Therefore, remote\n    access was not tested at DECC Montgomery.\n\n\n\n                                                   17\n\x0c                        Table 6. Computer Facility Access Agreement\n                         Location 7       Unauthorized           User Access\n                                            Access               Agreements\n                                                                  Sampled\n                      Chambersburg                0                  33\n                      Columbus                   33                  45\n                      Dayton                     0                   11\n                      Huntsville                 0                   29\n                      Jacksonville               0                   25\n                      Mechanicsburg              0                   90\n                      Montgomery                 0                   45\n                      Norfolk                     0                  19\n                      Oklahoma City               0                  55\n                      Ogden                       0                  45\n                      Pacific                     0                  45\n                      Rock Island                0                   13\n                      San Antonio                0                   45\n                      St. Louis                  1                   45\n                      Warner Robins              0                   21\n                      Total                      34                  566\n\n\n          DoD Instruction 8500.2 requires that only authorized personnel, with a\n          need-to-know, are granted physical access to computing facilities that process\n          sensitive information or unclassified information. At DECC St. Louis, 1 out of\n          45 badge access request forms could not be located. At DECC Columbus, 33 out\n          of 45 badge access request forms did not have signatures from the appropriate\n          approving authority. This occurred because CS did not fully implement the\n          access authorization process. Without proper access authorization procedures, CS\n          would not be able to account for all badges issued.\n\n          Computer Facility Two-Factor Authentication. Four of 17 DECCs required\n          only one-factor authentication, instead of two-factor authentication. The\n          CS Security Handbook mandates an access control system that requires swiping\n          or presenting of an access card or token and entry of a personal identification\n          number for entry to the computing facility. At DECCs Chambersburg, Pacific,\n          San Antonio, and San Diego, the CS personnel only had to swipe a proximity card\n          to gain access to the computer room. The lack of two-factor authentication\n          increases the risk of unauthorized use of the access card in the event the card is\n          misplaced or stolen.\n\n7\n    DECCs Denver and San Diego do not manage access to the computer facility. They were excluded from\n    this test.\n\n\n\n                                                   18\n\x0c           Physical Security Policy. DECCs Mechanicsburg, Pacific, and St. Louis did not\n           consistently follow physical security policy. At DECCs Mechanicsburg and\n           Pacific, documentation could not be provided to demonstrate that they performed\n           end-of-day and unannounced security checks within the computer facility.\n           DoD Instruction 8500.2 requires that procedures be implemented to ensure the\n           proper handling and storage of information, such as end-of-day security checks\n           and unannounced security checks within the computing facility. In addition,\n           DECCs St. Louis and Pacific did not have a facility penetration process in place\n           to include periodic, unannounced attempts to penetrate key computing facilities.\n           DoD Instruction 8500.2 requires that a facility penetration testing process be in\n           place. Without periodic physical security checks, CS would not be able to\n           identify and correct physical security weaknesses.\n\n\nIncident Handling\n           CS did not consistently complete Reportable Trouble Management System (TMS)\n           Ticket Checklists for 51 of the 242 reportable incidents. Table 7 contains the\n           summary of Reportable TMS Ticket Checklists reviewed by location.\n\n                           Table 7. Reportable TMS Ticket Checklists\n                          Location 8           Incomplete              Checklists\n                                               Checklists              Reviewed\n                     Columbus                       9                     22\n                     Mechanicsburg                 6                      30\n                     Montgomery                    14                     90\n                     Ogden                          2                     30\n                     Oklahoma City                 19                     65\n                     St. Louis                      1                      5\n                     Total                         51                    242\n\n           DISA Computing Services Instruction 360-225-1, \xe2\x80\x9cEvent Reporting Instruction,\xe2\x80\x9d\n           December 7, 2004, requires the completion of a Reportable TMS Ticket Checklist\n           for reportable incidents. The reportable incidents are operations incidents that are\n           determined by CS management to have a significant impact on operations. The\n           checklist includes information such as root cause, the troubleshooting performed,\n           the availability of redundant systems, the overall impact on the customer mission,\n           batch processing delays, and the physical location of the equipment or\n           application.\n\n           The Reportable TMS Ticket Checklists were not always consistently completed\n           and CS management did not periodically review the Reportable TMS Ticket\n8\n    DECC San Antonio is not required to enter reportable incidents on production equipment because it only\n    manages development and test systems. Therefore, incident handling was not tested at DECC San\n    Antonio.\n\n\n\n                                                     19\n\x0c          Checklists to ensure proper completion. Without understanding the requirements\n          of incident reporting and ensuring checklists are completed, CS has little\n          assurance that the Reportable TMS Ticket Checklists would contain detailed\n          records of the reportable incidents. The lack of detailed records on reportable\n          incidents could prevent CS from effectively identifying incident trends,\n          evaluating incident severity, and enhancing incident handling process.\n\n\nConfiguration Management\n          Although CS had made significant improvements in its change and configuration\n          management program by issuing the Operational Change and Configuration\n          Management Plan, improvements were still needed over supervisory approvals.\n          We could not obtain evidence of supervisory review for 3 of 175 change requests\n          and 2 of 96 emergency changes, as shown in Table 8. In addition, DECC Pacific\n          did not follow the Operational Change and Configuration Management Plan.\n\n          DECC Pacific did not follow the Operational Change and Configuration\n          Management Plan. DECC Pacific tracked changes using a local change request\n          form. This local form did not include elements that would assist the local change\n          control board in determining issues such as customer impact and technical\n          feasibility, as required by the change and configuration plan.\n\n                                   Table 8. Change Approval\n                                                            Emergency\n                               Changes                                      Emergency\n                                               Changes       Changes\n              Location 9        Lacked                                       Changes\n                                                Tested        Lacked\n                               Approval                                       Tested\n                                                             Approval\n          Columbus                  2            16             0                 2\n          Mechanicsburg             1            30             0                24\n          Montgomery                0            45             0                42\n          Ogden                     0            30             2                12\n          Oklahoma City             0            35             0                16\n          St. Louis                 0            19             0                 0\n          Total                     3            175            2                96\n          These conditions occurred because the DECCs did not consistently follow the CS\n          change management policies and procedures for documenting and approving\n          changes.\n\n          Our prior year audit report identified significant weaknesses regarding\n          configuration management. The implementation of the Operational Change and\n          Configuration Management Plan remediated many weaknesses identified in the\n\n9\n    Change management was not tested at DECC San Antonio because the DECC only manages development\n    and test systems, not production.\n\n\n\n                                                 20\n\x0c           prior year audit. However, CS did not fully enforce the plan. As a result,\n           unauthorized or inappropriate configuration changes could lead to potentially\n           detrimental modifications to customer applications and negatively impact\n           business operations and the CS infrastructure. CS needs to ensure that all changes\n           are properly approved and documented, and that DECC Pacific follow the\n           Operations Change and Configuration Management Plan.\n\n\nAsset Management\n           Although CS had effective general and application controls over the Integrated\n           Asset and Configuration Management System (IACMS), CS did not consistently\n           perform the quarterly census audit activities. Specifically, 11 of 16 10 DECCs\n           could not provide evidence of performing the required quarterly audit to reconcile\n           the IACMS data to the actual asset inventory. The IACMS is a web-based\n           application designed and developed by CS to be the central repository of asset\n           and configuration data for all CS-managed IT assets for each processing site. All\n           hardware, software, and applications are required to be listed in the IACMS, and\n           it is the source for all inventory-related data calls. The \xe2\x80\x9cDISA Computing\n           Services Operations Operational Change and Configuration Management Plan,\xe2\x80\x9d\n           March 21, 2006, requires that the DECCs quarterly census audits to compare and\n           reconcile IACMS data to property management and asset accounting records. In\n           addition, the Plan requires that a finding report to be generated within 10 working\n           days following each audit. CS did not consistently perform the quarterly census\n           audit activities because CS did not have detailed procedures to instruct the\n           DECCs on how to conduct the required quarterly census audits. Without periodic\n           validation of asset data, CS would not be able to provide accurate and complete\n           reports in response to CS data calls pertaining to IACMS configuration inventory.\n\n\nContingency Plans\n           While CS made improvements in its contingency plan process, management over\n           contingency plans was not effective. Specifically, the site-specific contingency\n           plans were not comprehensive, and 16 of 17 DECCs did not conduct the annual\n           contingency plan testing.\n\n           Site-Specific Contingency Plan. Eleven of 17 DECCs did not have\n           comprehensive site-specific contingency plans. Specifically, DECCs Columbus,\n           Denver, Jacksonville, Ogden, Rock Island, and St. Louis did not identify an\n           alternate process site in their contingency plans. DECCs Chambersburg, Denver,\n           Huntsville, Montgomery, Oklahoma City, Rock Island, San Antonio did not\n           include emergency process priorities in their contingency plans.\n\n\n\n\n10\n     IACMS procedures were not tested at DECC Pacific.\n\n\n\n                                                   21\n\x0c   DoD Instruction 8500.2 requires that:\n\n          \xe2\x80\xa2   alternate sites be identified that permit the partial restoration of\n              mission- or business-essential functions and\n\n          \xe2\x80\xa2   mission- and business-essential functions are identified for priority\n              restoration planning along with all assets supporting mission or\n              business essential functions.\n\n   Periodic Testing. None of the DECCs, with the exception of Mechanicsburg,\n   could provide documentation evidencing the performance of an annual\n   contingency plan test. DoD Instruction 8500.2 requires that the contingency\n   plans be tested annually. This testing would help the DECCs identify deficiencies\n   in the plans, evaluate the viability of the plan, and could assist management in\n   making necessary adjustments.\n\n   Our prior year audit report recommendations included: establishing a standard\n   process to review contingency plans to ensure they are comprehensive and\n   complete, and establishing and implementing standard policies and procedures for\n   performing annual comprehensive contingency plan testing. CS made progress\n   by developing site-specific contingency plans and developing a Concept of\n   Operations document, which requires testing and documenting annual\n   comprehensive contingency plans; however, some plans were not comprehensive\n   and did not include emergency processing priorities. As a result, there is an\n   increased risk that critical business operations would be impaired in the event of\n   service interruptions. Therefore, CS needs to ensure that all DECCs have\n   comprehensive site-specific contingency plans to include all the required\n   elements.\n\n\nSummary\n   CS still needed to improve its overall IA program. The lack of a comprehensive\n   and integrated IA program could lead to security incidents that could go\n   unprevented and undetected. Specifically, without complete, accurate, and\n   current security documentation, CS increases the risk of operating systems with\n   risks above the accepted level, implementing inadequate security controls, and\n   failing to address customer requirements. Failure to perform the required audit\n   functions increases the likelihood of not detecting inappropriate access or\n   activities. Also, unprotected audit logs are exposed to unauthorized alteration,\n   which could be exploited to hide unauthorized or suspicious activities.\n\n   Additionally, the use of unauthorized public domain and personal software\n   increases the risk of introducing vulnerabilities to the DoD computing\n   environment. Also, the lack of a proper access authorization and authentication\n   process and periodic physical security checks increases the risk of unauthorized\n   individuals gaining access to sensitive information and CS facilities.\n\n   Further, the lack of complete Reportable TMS Ticket Checklists could prevent CS\n   from effectively identifying incident trends, evaluating incident severity, and\n\n\n                                        22\n\x0c    enhancing incident handling process. Without fully implementing the\n    Operational Change and Configuration Management Plan, unauthorized or\n    inappropriate configuration changes could lead to potentially detrimental\n    modifications to customer applications and could negatively impact business\n    operations and the CS infrastructure.\n\n    Finally, without developing comprehensive site-specific contingency plans, there\n    is an increased risk that critical business operations would be impaired in the\n    event of service interruptions.\n\n\nRecommendations, Management Comments, and Audit\n  Response\n    C.1. We recommend that the Director, Defense Information Systems Agency\n    implement a process to track and monitor the time between the completion\n    of the System Security Authorization Agreement and the accreditation\n    decision to ensure timely decisions.\n\n    Management Comment. The DISA Chief Information Officer nonconcurred\n    and stated that the tracking of the SSAA and other certification and accreditation\n    materials will be done through the DISA Certification and Accreditation Database\n    and the Edge IA Portal. The Chief Information Officer suggested that the\n    recommendation be reworded to implement a process to track and monitor the\n    time between the completion of the SSAA and other certification and\n    accreditation material needed for a timely accreditation decision.\n\n    Audit Response. Although the DISA Chief Information Officer nonconcurred,\n    the comments are responsive. We agree with the DISA Chief Information Officer\n    on the importance of other certification and accreditation materials and the\n    proposed tracking tool, but we did not reword the recommendation. No further\n    comments are required.\n\n    C.2. We recommend that the Director, Center for Computing Services:\n\n           a. Implement a process to ensure that the certification and\n    accreditation packages are properly developed, approved, maintained, and\n    updated in accordance with applicable Office of Management and Budget\n    and DoD requirements.\n\n    Management Comments. The Director, CS nonconcurred and stated that CS has\n    a process in place to ensure that the certification and accreditation packages are\n    properly developed, approved, maintained, and updated. The Director, CS also\n    indicated that CS will implement the DoD automated tools, as required by the\n    new interim Defense Information Assurance Certification and Accreditation\n    Process, once it is selected by DISA.\n\n    Audit Response. Although the Director, CS nonconcurred, the process described\n    to ensure that the certification and accreditation packages are properly developed,\n    approved, maintained, and updated, and the future implementation of the DoD\n\n\n                                        23\n\x0cautomated tools satisfies the intent of the recommendation. No further comments\nare required.\n\n        b. Require that the Service Level Agreements address all of the\nrequirements of DoD Instruction 8500.2 to include the identification of\ncriticality and data disposition and sharing requirements.\n\nManagement Comments. The Director, CS concurred and stated that CS had\nupdated the SLA format for FY 2007 to include the identification of criticality\nand data disposition and sharing requirements.\n\n       c. Require and verify the customer\xe2\x80\x99s formal acceptance of the Service\nLevel Agreements.\n\nManagement Comments. The Director, CS concurred and stated that CS had\nupdated the SLA format for FY 2007 requiring each customer to formally accept\nthe SLA.\n\n       d. Periodically review all remote access and facility access to ensure\nthat they are authorized and the access request forms are properly\ndocumented and maintained.\n\nManagement Comments. The Director, CS concurred and stated that the CS\nChief of Operations issued a requirement on February 9, 2007, for site directors to\nreview all remote access and facility access to ensure the proper documentation\nand maintenance of authorization and access request forms.\n\n       e. Implement the two-factor authentication mechanism for remote\naccess and physical access across all Defense Enterprise Computing Centers.\n\nManagement Comments. The Director, CS concurred and stated that CS is in\nthe process of implementing the two-factor authentication mechanism for remote\naccess and expects to have it fully implemented by December 31, 2007. He\nindicated that CS requested that the required sites implement the two-factor\nauthentication for physical access.\n\n       f. Develop standard procedures for periodic physical security\nassessments.\n\nManagement Comments. The Director, CS concurred and stated that on\nFebruary 9, 2007, the CS Chief of Operations issued a reminder to all site\ndirectors that they are required to have a physical access penetration-testing\nprogram in place.\n\nAudit Response. Although the Director, CS concurred and issued a reminder\nabout the requirements, the response did not address procedures on how to\nconduct the assessments. DISA is in the process of updating many of its IA\npolicies. We will review those policies and DISA compliance next year to\ndetermine whether the recommendation can be closed. No further comments are\nrequired.\n\n\n\n                                     24\n\x0c       g. Periodically review the Reportable Trouble Management System\nTicket Checklists to ensure that Defense Enterprise Computing Center\npersonnel are properly filling out the checklist in accordance with\nComputing Services Instruction 360-225-1.\n\nManagement Comments. The Director, CS concurred and stated that the\nCS Chief of Operations is in the process of issuing a new Computing Services\nIncident Response Instruction with a revised checklist. He expects the instruction\nto be signed and implemented by March 30, 2007.\n\n     h. Require that configuration changes be properly approved and\ndocumented in accordance with guidelines established by the Operational\nChange and Configuration Management Plan.\n\nManagement Comments. The Director, CS concurred and stated that the\nCS Chief of Operations issued a reminder to all site directors that changes must\nbe approved and documented in accordance with the Operational Change and\nConfiguration Management Plan.\n\n      i. Require Defense Enterprise Computing Center Pacific to follow the\nOperational Change and Configuration Management Plan.\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific will implement the Operational Change and Configuration\nManagement Plan by March 31, 2007.\n\n       j. Establish and implement comprehensive procedures to ensure that\nthe Defense Enterprise Computing Centers perform quarterly census audits\nand reconciliations of the Integrated Asset and Configuration Management\nSystem data.\n\nManagement Comments. The Director, CS concurred and stated that the\nCS Configuration Management Program Office will develop standard operating\nprocedures by March 31, 2007.\n\n       k. Periodically review comprehensive site-specific contingency plans\nto ensure that all required elements are included.\n\nManagement Comments. The Director, CS concurred and stated that the\nCS Enterprise Business Continuity Manager will review all site contingency plans\nfor all required elements by July 31, 2007.\n\n\n\n\n                                    25\n\x0c           D. Defense Enterprise Computing Center\n              Pacific\n           The general controls over DECC Pacific were not effective. Specifically,\n           improvements are needed for controls over security documentation, IA\n           Awareness training, account management, system configurations, audit\n           trails, configuration management, public domain software, data backup,\n           fire and emergency response, facility security, and hardware maintenance\n           and disposal. DECC Pacific had not fully implemented DoD and DISA\n           policies that would have mitigated these weaknesses. Until DECC Pacific\n           effectively implements controls that fully comply with DoD and DISA\n           policy, there is an increased risk to the confidentiality, integrity, and\n           availability of the applications operating in DECC Pacific.\n\n\nGeneral Controls\n    DECC Pacific was not part of the DISA transformation and was not included in\n    our FY 2005 audit. This audit was the first comprehensive review of the controls\n    at DECC Pacific, and we identified many of the same issues identified during our\n    FY 2005 audit of continental United States locations. These issues included:\n\n           \xe2\x80\xa2   security documentation (discussed in finding D),\n           \xe2\x80\xa2   IA Awareness training (discussed in finding B),\n           \xe2\x80\xa2   account management,\n           \xe2\x80\xa2   system configurations,\n           \xe2\x80\xa2   audit trails (discussed in finding D),\n           \xe2\x80\xa2   configuration management (discussed in finding D),\n           \xe2\x80\xa2   public domain software (discussed in finding D),\n           \xe2\x80\xa2   data backup,\n           \xe2\x80\xa2   fire and emergency response,\n           \xe2\x80\xa2   facility security (discussed in finding D), and\n           \xe2\x80\xa2   hardware maintenance and disposal.\n\n    Account Management. DECC Pacific did not fully implement account\n    management controls. Block 14 of the access request form, DD Form 2875, was\n    not properly filled out for the two privileged users we selected. Their\n    DD Form 2875s did not identify them as having privileged access. The CS\n    Security Handbook requires that the user\xe2\x80\x99s \xe2\x80\x9csupervisor must complete Part II,\n    blocks 13 through 20b. The supervisor must identify systems, applications, and\n    privileges.\xe2\x80\x9d The IAM stated that the process for documenting the two DD\n    Form 2875s as being privileged users had been overlooked. In addition,\n    DECC Pacific did not perform the annual re-validation of privileged user\n    accounts as required by the CS Security Handbook. As a result, there is a risk\n\n\n                                       26\n\x0cthat privileged users may be given additional access or have access rights that\nthey no longer need. CS needs to ensure that DECC Pacific adheres to the CS\nSecurity Handbook policy on granting system access to privileged users and\nconducts annual review of privileged user accounts.\n\nSystem Configurations. DECC Pacific did not consistently follow DoD\nInstruction 8500.2 policy pertaining to system configurations. We reviewed\n12 devices and found, 3 devices were missing both warning banners and screen\nlocks, and 1 device was missing a screen lock setting. DoD Instruction 8500.2\nrequires a specific DoD logon warning message and workstation screen-lock\nfunctionality. We reported this condition previously in DoD IG Report Number\nD-2006-030, \xe2\x80\x9cReport on Diagnostic Testing at the Defense Information Systems\nAgency, Center for Computing Services,\xe2\x80\x9d November 30, 2005 We recommended\nthat DISA enforce compliance with the STIGs for configuration and security\nsettings. The Director, CS concurred with the finding and stated that all site\nIAMs have been re-briefed on the STIGs to include configuration and security\nsettings as part of the SA Certification Program. DISA was in the process of\ndeveloping this Program during the audit and stated that current SAs will\ncomplete the Program by July 31, 2007. The SA Certification Program is\nexpected to include the technical and information assurance requirements of the\noperating systems and how to implement these requirements within the DISA\nenvironment. CS needs to ensure that SAs at DECC Pacific participate in the SA\nCertification Program.\n\nAdditionally, out of 12 devices reviewed, 1 device was not updated with current\nanti-virus protection. DoD Instruction 8500.2 requires virus protection that\nincludes a capability for automatic updates. DECC Pacific did not have\nautomated tools to push down the virus updates, and updating the virus protection\nwas a labor-intensive process. As a result, non-compliant systems may be\nexposed to unnecessary risks, such as loss of confidentiality, integrity, or\navailability of data. CS needs to provide DECC Pacific with a mechanism to\nautomatically receive anti-virus updates.\n\nData Backup. Controls over the data and program backup procedures were not\neffective. For example, the DECC Pacific off-site storage agreements were not\nsigned, out of date, and listed former DECC Pacific employees as couriers. In\naddition, DECC Pacific did not have distance waivers for the off-site storage\nlocation being less than the required 25 miles. CS Policy 06-01, \xe2\x80\x9cMagnetic Tape\nBackup and Storage by System Management Center (SMC), Infrastructure\nServices Center (ISC), and Processing Element (PE) Activities,\xe2\x80\x9d October 7, 2005,\nstates that a waiver must be signed for distances less than the 25 mile minimum\ndistance between site and off-site location. DECC Pacific needs to have current\nand signed off-site storage agreements. Additionally, CS needs to provide official\ndocumentation accepting the risk of having an off-site storage location less than\nthe required 25 miles away.\n\nDECC Pacific had one iteration of tapes stored at one of the two off-site locations.\nDISA Computing Services Letter of Instruction 06-01 requires two iterations of\nbackups be maintained at the off-site storage location. In addition, Microsoft\nWindows backups being sent off-site were incomplete. DoD Instruction 8500.2\nrequires that data backup be performed daily and recovery media is stored off-site\n\n\n                                    27\n\x0c    at a location that affords protection of the data in accordance with its MAC and\n    confidentiality level. DECC Pacific was aware of the situation, but could not\n    identified a cause for the incomplete backup at the time of the audit. As a result,\n    DECC Pacific inappropriately used time and resources by creating incomplete\n    backups and sending them off-site. In the event that a backup needs to be\n    restored, the appropriate backup tapes may not be available for recovery.\n    DECC Pacific needs to have two iterations of backups maintained at the off-site\n    storage location. Additionally, DECC Pacific needs to identify and resolve\n    backup tape creation issues to allow for the creation of complete backup tapes.\n\n    Environmental Controls. DECC Pacific did not maintain records proving\n    periodic fire marshal inspection and did not conduct environmental controls\n    training. DoD Instruction 8500.2 requires that computing facilities undergo a\n    periodic fire marshal inspection and deficiencies are promptly resolved and that\n    all employees receive initial and periodic training in the operation of\n    environmental controls. Without proper documentation of fire marshal\n    inspections, DECC Pacific would not be able to promptly resolve deficiencies. In\n    addition, without proper environmental controls training, personnel may not know\n    how to respond in the event of an emergency. DECC Pacific needs to maintain\n    records of fire marshal inspections and provide personnel with environmental\n    controls training and document the training.\n\n    Hard Drive Disposal. Controls over hard drive disposals were not effective.\n    DECC Pacific does not maintain a list of all hard drives that have been sanitized,\n    degaussed, or destroyed. The Assistant Secretary of Defense Memorandum,\n    \xe2\x80\x9cDisposition of Unclassified DoD Computer Hard Drives,\xe2\x80\x9d June 4, 2001, requires\n    a list of sanitized, degaussed, or destroyed hard drive be maintained by the\n    certifier. Without a record to certify that hard drives have been properly\n    disposed, DECC Pacific would have no assurance that all disposed hard drives\n    have gone through the appropriate precautionary procedures before being released\n    outside DoD. DECC Pacific needs to maintain records of all disposed hard drives\n    to prevent the risk of exposing sensitive DoD information and data.\n\n\nRecommendations and Management Comments\n    D. We recommend that the Director, Center for Computing Service:\n\n           1. Require Defense Enterprise Computing Center Pacific to follow\n    the access authorization and access re-validation procedures for privileged\n    accounts outlined in the Center for Computing Services Security Handbook.\n\n    Management Comments. The Director, CS concurred and stated that\n    DECC Pacific completed the re-validation of all privileged access authorizations\n    in accordance with the CS Security Handbook on January 15, 2007.\n\n          2. Require Defense Enterprise Computing Center Pacific System\n    Administrators to participate in the System Administrator Certification\n    Program.\n\n\n\n                                         28\n\x0cManagement Comments. The Director, CS concurred and stated that CS now\nrequires all DECC Pacific SAs to participate in the SA Certification Program.\n\n     3. Provide Defense Enterprise Computing Center Pacific with a\nmechanism to receive automatic anti-virus updates.\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific now has a mechanism to receive automatic anti-virus updates.\n\n       4. Require that Defense Enterprise Computing Center Pacific have\nsigned and current off-site storage agreements.\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific will have a signed and current off-site storage agreement by\nMarch 31, 2007.\n\n     5. Provide an official risk acceptance for the Defense Enterprise\nComputing Center Pacific off-site storage location being less than the\nminimum required 25 miles.\n\nManagement Comments. The Director, CS concurred and stated that the\nCS Chief of Operations will provide DECC Pacific with a waiver for the off-site\nstorage location being less than the minimum required distance by March 31,\n2007.\n\n        6. Enforce the Defense Information Systems Agency Computing\nServices Letter of Instruction 06-01 on Defense Enterprise Computing\nCenter Pacific requiring that two iterations of backups be maintained at the\noff-site storage location.\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific backup procedures will be compliant with the DISA CS Letter of\nInstruction 06-01 by April 30, 2007.\n\n       7. Assist Defense Enterprise Computing Center Pacific in identifying\nand resolving backup tape creation issues.\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific will implement proper backup procedures by April 30, 2007.\n\n      8. Require Defense Enterprise Computing Center Pacific to adhere to\nDoD Instruction 8500.2 regarding periodic fire marshal inspections and\nmaintain the inspection records.\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific will have annual fire marshal inspections and maintain the\ninspection records.\n\n      9. Require Defense Enterprise Computing Center Pacific to adhere to\nDoD Instruction 8500.2 on the training requirements for the operation of\nenvironmental controls and maintain the training records.\n\n\n                                   29\n\x0cManagement Comments. The Director, CS concurred and stated that\nDECC Pacific will have its maintenance personnel properly trained by\nMarch 31, 2007, and will maintain the training records.\n\n       10. Require Defense Enterprise Computing Center Pacific to\nimplement a control to account for all disposed hard drives in accordance\nwith the Assistant Secretary of Defense Memorandum, \xe2\x80\x9cDisposition of\nUnclassified DoD Computer Hard Drives.\xe2\x80\x9d\n\nManagement Comments. The Director, CS concurred and stated that\nDECC Pacific updated its security standard operating procedures on\nFebruary 15, 2007, to include the proper procedures for disposing unclassified\nhard drives in accordance with the Assistant Secretary of Defense Memorandum,\n\xe2\x80\x9cDisposition of Unclassified DoD Computer Hard Drives.\xe2\x80\x9d\n\n\n\n\n                                  30\n\x0cAppendix A. Scope and Methodology\n   We performed IA and compliance assessment procedures of the DISA CS\n   controls at 17 data processing locations from December 1, 2005, through January\n   17, 2007. This assessment was performed in accordance with the American\n   Institute of Certified Public Accountants Statement on Auditing Standards 70 and\n   with generally accepted government auditing standards. Specifically, the audit\n   was intended to determine whether DISA (1) general controls over CS are\n   suitably designed and operating effectively; (2) application controls for an\n   internal application system, IACMS, are suitably designed and operating\n   effectively; and (3) CS is in compliance with applicable Federal and DoD IT and\n   IA policies. The scope of this audit was limited to unclassified systems that DISA\n   manages within the DECCs.\n\n   The audit methodology used to perform the compliance assessment procedures\n   was developed using the audit methodologies defined by the Federal Information\n   System Controls Audit Manual and the Government Accountability Office (GAO)\n   Financial Audit Manual. The audit program was developed using the CS Security\n   Handbook and the following DoD IA documentation: DoD Directive 8500.1,\n   \xe2\x80\x9cInformation Assurance,\xe2\x80\x9d DoD Instruction 8500.2, \xe2\x80\x9cInformation Assurance\n   Implementation,\xe2\x80\x9d DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\n   Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d DoD\n   Manual 8510.1-M, \xe2\x80\x9cDoD Information Technology Security Certification and\n   Accreditation Process (DITSCAP) Application Manual,\xe2\x80\x9d and DoD STIGs.\n\n   SAS 70 Procedures. We assessed the design and operating effectiveness of IT\n   controls specified by DISA management at the following DISA and CS\n   Headquarters locations:\n\n          \xe2\x80\xa2   Arlington, Virginia - Chief Information Office and Manpower,\n              Personnel and Security;\n\n          \xe2\x80\xa2   Chambersburg, Pennsylvania - Business Management Center,\n              Logistics, and FSO;\n\n          \xe2\x80\xa2   Denver, Colorado - CS Headquarters, Business Management Center\n              and Logistics; and\n\n          \xe2\x80\xa2   Falls Church, Virginia - CS Headquarters.\n\n   We reviewed the controls at DISA and CS Headquarters locations to obtain an\n   understanding of the centralized functions of the organization. This included\n   obtaining an understanding of the 14 categories on the next page and of the\n   entity-wide policies and procedures for risk assessment, security planning,\n   monitoring, and security management; personnel security and human resource\n   management; and the SLAs process between CS and its user organizations.\n\n\n\n\n                                       31\n\x0cWe assessed IT controls at the following CS Locations:\n\n                   Center for Computing Services Locations\nSystem Management Centers                Processing Elements\n   Mechanicsburg, Pennsylvania             Chambersburg, Pennsylvania\n   Montgomery, Alabama                     Dayton, Ohio\n   Ogden, Utah                             Denver, Colorado\n   Oklahoma City, Oklahoma                 Huntsville, Alabama\nInfrastructure Services Centers            Jacksonville, Florida\n   Columbus, Ohio                          Norfolk, Virginia\n   San Antonio, Texas                      Rock Island, Illinois\n   St. Louis, Missouri                     San Diego, California\nDefense Enterprise Computing Center        Warner Robins, Georgia\n   Pearl Harbor, Hawaii\n\nWe conducted a full review at all the System Management Centers, Infrastructure\nServices Centers, and DECC Pacific. The full review consisted of IT controls in\nthe following 14 categories, as specified by CS.\n\n       \xe2\x80\xa2   security program\n       \xe2\x80\xa2   risk assessments,\n       \xe2\x80\xa2   site security plans,\n       \xe2\x80\xa2   security management,\n       \xe2\x80\xa2   personnel policies,\n       \xe2\x80\xa2   information resource classification,\n       \xe2\x80\xa2   user account management,\n       \xe2\x80\xa2   physical access,\n       \xe2\x80\xa2   logical access,\n       \xe2\x80\xa2   network and telecommunications security,\n       \xe2\x80\xa2   incident response,\n       \xe2\x80\xa2   access monitoring procedures,\n       \xe2\x80\xa2   systems changes to DISA-owned assets, and\n       \xe2\x80\xa2   service continuity procedures.\n\nWe performed a limited review at all the Processing Elements. The limited\nreview consisted of IT controls in the areas of physical access and service\ncontinuity.\n\n\n\n\n                                    32\n\x0cCompliance Assessment Procedures. DoD has developed STIGs for a variety\nof common computer platforms in the DoD environment. We used the DoD\nSTIGs to develop appropriate risk-based audit procedures.\n\nDoD has categorized STIG vulnerabilities into four categories ranging from the\nmost critical (Category I) to least critical (Category IV). Category I and II\nrepresent the most significant risk of having an operational impact on CS\noperations. We tested all Category I and Category II STIG requirements.\n\nWe assessed a statistical sample of the CS unclassified systems from May 2006\nthrough July 2006. See Appendix C for statistical sampling details. The\ncompliance assessment procedures included: (1) reviewing the FSO scripts (for\nthose platforms that have such scripts) and validating scripts against the STIGs,\n(2) running the DISA scripts or performing manual procedures against systems in\nthe selected statistical sample, and (3) evaluating the results against the defined\nsettings in the STIGs. In addition to the scripts, we also reviewed additional\nreports that were coordinated with FSO and CS such as Computer\nAssociate-Examine for the IBM mainframe systems in the sample. During the\naudit we encountered a few devices that we could not perform substantive testing.\nSee Appendix C for details.\n\nIf a vulnerability was identified through either the script or manual review\nprocess, we discussed it with the site IAM and the respective SA. We also\nrequested documentation from CS for the DAA acceptance of the vulnerability, if\napplicable.\n\nWe assessed the DECCs compliance with DITSCAP requirements by reviewing\nthe available SSAA and Certification and Accreditation documentation.\n\nWe assessed DECC compliance with DoD Instruction 8500.2 by reviewing\ndocumentation supporting the DECC\xe2\x80\x99s policies, assignment of responsibilities,\nand procedures for applying integrated, layered protection of DoD information\nsystems and networks controlled by CS.\n\nApplication Controls. We assessed application controls over the IACMS\napplication owned and operated by CS. Specifically, we reviewed the inputs,\nprocesses, and outputs of the IACMS application that CS uses to track individual\nCS computer assets in its computing environment.\n\nSampling Methodology. We based our sampling on the GAO Financial Audit\nManual, Section 450. When possible, we selected judgmental samples of 45 at\neach site or used the entire population.\n\nUse of Computer-Processed Data. We did not rely on computer-processed data\nto perform this audit. Rather, we assessed the configuration settings and controls\nimplemented on the devices tested that involved computer-extracted data such as\nuser password settings and services running on the devices.\n\nUser of Technical Assistance. The Technical Assessment Directorate of the\nDoD Office of Inspector General reviewed test plans and audit results.\n\n\n\n                                    33\n\x0cAdditionally, we received assistance from the Quantitative Methods Director of\nthe DoD Office of Inspector General for development of the sampling process.\n\nGovernment Accountability Office High-Risk Area. The GAO has identified\nseveral high-risk areas in DoD. This report provides coverage of the effective\nManagement of Information Technology Investments high-risk area.\n\n\n\n\n                                   34\n\x0cAppendix B. Prior Coverage\n    During the last five years, the GAO and the Department of Defense Inspector\n    General (DoD IG) have issued 9 reports discussing the topic of improving DISA\n    investment planning and management controls. Unrestricted GAO reports can be\n    accessed over the Internet at http://www.gao.gov. Unrestricted DoD IG reports\n    can be accessed at http://www.dodig.mil/audit/reports.\n\n\nGAO\n    GAO Report No. GAO-02-50, \xe2\x80\x9cDefense Information Systems Agency Can\n    Improve Investment Planning and Management Controls,\xe2\x80\x9d March 2002\n\n\nDoD IG\n    DoD IG Report No. D-2006-107, \xe2\x80\x9cDefense Departmental Reporting System and\n    Related Financial Statement Compilation Process Controls Placed in Operation\n    and Tests of Operating Effectiveness for the Period October 1, 2004, through\n    March 31, 2005,\xe2\x80\x9d August 18, 2006\n\n    DoD IG Report No. D-2005-086, \xe2\x80\x9cReport on General and Application Controls at\n    the Defense Information Systems Agency, Center for Computing Services,\xe2\x80\x9d\n    May 18, 2006\n\n    DoD IG Report No. D-2006-046, \xe2\x80\x9cTechnical Report on the Defense Property\n    Accountability System,\xe2\x80\x9d January 27, 2006\n\n    DoD IG Report No. D-2006-030, \xe2\x80\x9cReport on Diagnostic Testing at the Defense\n    Information Systems Agency, Center for Computing Services,\xe2\x80\x9d\n    November 30, 2005\n\n    DoD IG Report No. D-2006-031, \xe2\x80\x9cReport on Penetration Testing at the Defense\n    Information Systems Agency, Center for Computing Services,\xe2\x80\x9d\n    November 30, 2005\n\n    DoD IG Report No. D-2005-105, \xe2\x80\x9cReport on Defense Information Systems\n    Agency, Center for Computing Services Controls Placed in Operation and Tests\n    of Operating Effectiveness for the Period October 1, 2004 through\n    April 30, 2005,\xe2\x80\x9d September 6, 2005\n\n    DoD IG Report No. D-2005-093, \xe2\x80\x9cTechnical Report on the Standard Finance\n    System,\xe2\x80\x9d August 17, 2005\n\n    DoD IG Report No. D-2005-069, \xe2\x80\x9cAudit of the General and Application Controls\n    of the Defense Civilian Pay System,\xe2\x80\x9d May 13, 2005\n\n\n                                      35\n\x0cAppendix C. Sampling Approach\n\nOverview\n    The general controls testing required detailed technical analysis of selected\n    security settings and configurations. General controls testing encompassed\n    diagnostic testing, which is the testing of the technical controls implemented in\n    the CS environment. We developed work programs based on the DoD STIGs and\n    DoD Instruction 8500.2. Diagnostic testing consisted of an analysis of data\n    extracted by automated scripts and supplemented by interviews with site SAs.\n    Due to the high number and variety of system devices managed by CS, a\n    statistical sampling approach was employed to select the items to be tested. Upon\n    completion of testing, we summarized exceptions following DoD and DISA\n    criteria, and statistically projected the results to the CS environment.\n\n\nSampling Approach and Objective\n    One of the audit objectives was to determine whether CS general controls were\n    adequately designed and operating effectively. We selected a sample of assets,\n    covering different technologies, to determine the level of compliance with DoD\n    and CS policies. We followed the GAO Financial Audit Manual Section 450 to\n    determine a sample size for diagnostic testing. We used the sampling strategy to\n    obtain an estimated upper limit for the rate of logical information systems\n    controls at risk in the population within 5 percent precision at the 90 percent\n    confidence level for comparison to the GAO Financial Audit Manual; and to\n    obtain an overall estimate of the number of logical information systems controls\n    at risk.\n\n\nSampling Design\n    Sample Frame. The FSO provided an inventory of CS systems extracted from\n    the VMS. The FSO provided an inventory list as of February 14, 2006, that\n    contained 5,767 assets across all CS data centers. We modified the inventory list\n    by eliminating non-applicable assets, DECC Europe assets, and non-CS assets.\n    As a result, the sampling frame contained 4,846 assets. Table C-1 shows the\n    modified sampling frame by group.\n\n\n\n\n                                        36\n\x0c                Table C-1. Sampling Frame by Group\n                Group       Operating System         Assets\n                  1         Other                      1,096\n                  2         IBM Mainframe                127\n                  3         UNIX                       1,617\n                  4         Windows                    2,006\n                Total                                  4,846\n\nSample Size. At 90 percent confidence, the estimated sample size needed to\nobtain 5 percent precision was 117 items. We imposed a minimum number of\n20 items per group, which resulted in a total sample size of 141 items.\n\nDuring fieldwork, we discovered an additional 22 out-of-scope (such as assets not\nconnected to the network or classified systems) and 18 decommissioned assets.\nAs a result, the original sample of 141 devices decreased to 101 devices available\nfor testing. To maintain a sufficient sample size, we supplemented 40 items to the\nsample. We selected supplemental assets using the same random seed as the\noriginal sample in order to preserve the original selection probabilities and the\nrandomness of the sample. Table C-2 shows the original sample size, the sample\navailable for testing, supplemental items, and the adjusted sample size by group.\n\n   Table C-2. Original, Supplemental, and Adjusted Sample Size by Group\n                                       Original\n                                                                        Adjusted\n             Operating Original        Sample         Supplemental\n   Group                                                                Sample\n              System   Sample        Available for       Items\n                                                                          Size\n                                       Testing\n     1      Other            20            8                12             32\n            IBM\n     2                       20            16                  4           24\n            Mainframe\n    3       UNIX              47            39              8              55\n    4       Windows           54            38              16             70\n   Total                     141           101              40             181\n\nWe did not complete testing on all sampled devices. We did not test one\nmainframe device and one Windows device due to timing constraints. We also\ndiscovered that one network device never existed. In addition, we encountered\none UNIX device that had a non-configurable operating system. We also did not\ntest three network devices, one UNIX device, and one Windows device due to\nresource constraints.\n\n\n\n\n                                    37\n\x0cSample Results\n     Testing Criteria. To determine the non-failure or failure of each device, we used\n     the DISA Computing Services Operations Policy Letter CS 05-09, \xe2\x80\x9cMandatory\n     Information Assurance Guidance,\xe2\x80\x9d August 31, 2005. For the estimation\n     calculation, we used a total of 181 systems, which included the 22 out-of-scope,\n     18 decommissioned and 9 not-tested devices. We treated out-of-scope,\n     decommissioned, and not tested items as non-failures. The inclusion of these\n     non-failure items produced a conservative estimate of the percentage of failures.\n     Table C-3 lists the non-failures and failures found within each group.\n\n                      Table C-3. Sample Evaluation Results\n              Operating             Sample           Non-             Failures\n                System               Items         Failures*\n           Other                       32              25                 7\n           IBM Mainframe               24              5                 19\n           UNIX                        55              50                5\n           Windows                     70              34                36\n           Totals                     181             114                67\n\n            * Non-failures include decommissioned, out-of-scope, and not-tested items.\n\nResult Interpretations\n     The estimated percent of logical information systems access controls failures is\n     about 31 percent. The percentage of failures would only apply to the projection\n     of the sample frame of 4,846 assets, as shown in Table C-4. The 90 percent upper\n     confidence bound is about 35 percent.\n\n     According to the GAO Financial Audit Manual Section 450, at 90 percent\n     confidence, an upper confidence boundary at less than 5 percent indicates that the\n     auditors can have high reliance on controls; an upper confidence boundary\n     between 5 percent to 10 percent indicates that the auditors can have moderate\n     reliance on controls; and an upper confidence boundary at greater than 10 percent\n     indicates that the auditors can have little or no reliance on controls. Thus, the\n     estimate and the upper confidence boundary exceed the upper tolerable limits,\n     according to GAO Financial Audit Manual Section 450. Based on the sample\n     results, we concluded that the logical information systems access controls are not\n     operating as designed and cannot be relied upon.\n\n\n\n\n                                             38\n\x0c                                         Table C-4. Sample Counts by Group\n\n                                 Original Counts                Adjusted Sample      Sample Results\n\n        Operating      Original      Sample     Original    Supplemental     Final  Non-                 Estimated\nGroup                                                                                         Failures\n         System       Population     Frame      Sample         Items        Sample Failures              Weights*\n\n  1     Other            1,666        1,096        20             12          32      25         7         34.25\n\n        IBM\n  2                       141          127         20              4          24       5        19         5.29\n        Mainframe\n\n  3     UNIX             1,715        1,617        47              8          55      50         5         29.40\n\n  4     Windows          2,245        2,006        54             16          70      34        36         28.66\n\nTotal                    5,767        4,846        141            40         181      114       67\n\n *The estimation weight is the inverse of the achieved sampling fraction.\n\n\n\n\n                                                           39\n\x0cAppendix D. STIG Compliance\n   The CS had ineffective processes for managing computing device configuration\n   in accordance with the DoD STIGs. We identified noncompliant trends in\n   password and account management, system permissions, security settings,\n   mainframe configuration settings, and baseline comparisons. Many of these\n   issues were identified in prior audit reports.\n\n   Note: For reporting purpose, we are only including results from the devices that\n   we have performed substantive testing. Therefore, the total number of devices in\n   the body of the report tested will differ from the total number used for statistical\n   projection. See Appendix C for details.\n\n   Password and Account Management. CS continued to have issues\n   implementing controls over password policies and account management. Shorter\n   password lengths and infrequently changed passwords increase the likelihood of a\n   successful brute force attack against the account. Also, the use of shared accounts\n   limits the usefulness of audit trails and holding users accountable for their actions.\n   We identified the following issues with CS password and account management.\n\n          \xe2\x80\xa2   Sixteen of 29 Windows 2000, 3 of 19 Windows 2003, and all\n              4 Windows XP devices were not configured to require password\n              changes for application accounts on an annual basis. The Windows\n              2003/XP/2000 Addendum (Section 4.4.2) requires application account\n              passwords to be changed on a yearly basis.\n\n          \xe2\x80\xa2   Fifteen of 29 Windows 2000 systems allowed non-administrators to\n              increase quota rights. The Guide to Securing Windows 2000\n              (Chapter 4) requires that only administrators have the ability to\n              increase the processor quota assigned to a process.\n\n          \xe2\x80\xa2   One of 3 Cisco Routers and 6 of 6 Juniper Routers did not have\n              individual accounts for administrators. The Network STIG\n              (Requirement NET0460) requires that each user have his own account\n              to access the router with a username and password.\n\n          \xe2\x80\xa2   Twenty-three of 46 UNIX devices did not properly configure the\n              account lockout setting. The UNIX STIG (Requirement GEN000460)\n              requires that the account be locked after three consecutive failed logon\n              attempts.\n\n          \xe2\x80\xa2   Two of 19 mainframes did not meet password complexity\n              requirements. The OS/390 and z/OS STIG (Requirement RACF0460)\n              requires that passwords be set to a minimum 8-character mix of letters\n              and numbers.\n\n   System Permissions. Permissions to limit access to devices, directories, and files\n   and registry settings were not in compliance with DoD STIGs. System\n   permissions commonly include account privileges to execute processes and access\n   control lists that provide file access permissions. As a result, vulnerabilities\n\n\n                                        40\n\x0ccreated from incorrectly set permissions could compromise the device and\nprovide users with unauthorized access to configuration settings and data.\n\n         Windows Permissions. Eighteen of 29 Windows 2000 and 11 of\n19 Windows 2003 systems had incorrect user rights settings that allowed users to\nact as part of the operating system. The user rights setting defines the user\xe2\x80\x99s\nability to perform certain system functionality. The Windows STIG (Chapter 5)\nrequires that no one to have the right to act as part of the operating system.\n\n         UNIX Permissions. The SAs did not configure 8 of 46 UNIX devices in\naccordance with the STIG requirement. The UNIX STIG (Requirement G053)\nrequires the SA to ensure that user home directories have initial access\npermissions set to 700, and never more permissive than 750, unless fully justified\nand documented by the IAO. A user is assigned a home directory to maintain\nfiles for the user\xe2\x80\x99s exclusive use. A permission setting of 700 allows read, write,\nand execute privileges to the owner and no privileges to the user\xe2\x80\x99s group or any\nother user. Permission settings above 750 would allow group read and execution\nof selected files.\n\n         In addition, the SAs did not configure 9 out of 46 UNIX devices with an\nUmask setting to 077. Umask defines the permissions a file has when the file is\ninitially created on the UNIX device. The UNIX STIG (Requirement G089)\nrequires that the Umask be set to a default value of 077, so only the file owner has\nread, write, and execute privileges while other users have no privileges.\n\n       Network Permissions. Authentication servers were not used to grant\nadministrative access in one of three Cisco Routers and six of six Juniper Routers.\nThe Network STIG (Requirement NET0430) requires the IAO or Network\nSecurity Officer to ensure that an authentication server is used to gain\nadministrative access to routers. Authentication servers provide centralized\nauthentication to the routers and controls the authority levels granted to users in\nthem.\n\nSecurity Settings. Security settings were incorrectly configured for Windows\nand Network devices. Vulnerabilities created from incorrect security settings\ncould compromise the device and provide users with unauthorized access to\nconfiguration settings and data.\n\n        Services. Fifteen of 29 Windows 2000 systems did not enable the\n\xe2\x80\x9cPrevent Automatic Updates\xe2\x80\x9d setting. Windows STIG (Requirement 5.060)\nrequires that the IAO ensure the \xe2\x80\x9cPrevent Automatic Updates\xe2\x80\x9d setting is enabled.\nSettings for services were set incorrectly or not disabled for 24 of 29 Windows\n2000, 11 of 19 Windows 2003, and all 4 Windows XP. Windows STIG\n(Requirement 5.068) requires the IAO and SA to ensure that unnecessary services\nbe removed or disabled. Two of 3 Cisco routers had Proxy ARP enabled. The\nNetwork STIG (Requirement NET0780) requires Proxy ARP to be disabled\nbecause Proxy ARP would allow a router to extend the network across multiple\ninterfaces. Running unnecessary services, or services not properly secured, could\nallow a malicious user to exploit vulnerabilities of a service to gain access to the\ndevice.\n\n\n\n                                     41\n\x0c                    Warning Banners. The SAs did not deploy warning banners on all six\n            Network Juniper routers. The Network STIG (Requirement NET0340) requires\n            that the Network Security Officer ensure the deployment of warning banners on\n            all network devices allowing Secure Shell, 11 telnet, 12 file transfer protocol, or\n            hypertext transfer protocol access. The absence of a warning banner could be\n            construed as an invitation, without restriction, to log on to the device.\n\n            Mainframe Configuration Settings. Mainframes at DECCs Mechanicsburg,\n            Ogden and St. Louis were not in compliance with the Mainframe STIG for the\n            following critical mainframe operating system components.\n\n                   \xe2\x80\xa2   Fourteen of the 19 mainframes did not have the correct Customer\n                       Information Control System configuration. The Customer Information\n                       Control System allows programmers to develop application code to\n                       perform interactive processing. Section 8.2 of the Mainframe STIG\n                       requires that the IAO implement a series of Customer Information\n                       Control System permission settings to provide multi-leveled access and\n                       resource protection.\n\n                   \xe2\x80\xa2   Twelve of the 19 mainframes did not have the correct OS/390 UNIX\n                       System Services configuration. The OS/390 UNIX System Services\n                       provides a UNIX environment to mainframe users. Section 2.5 of the\n                       Mainframe STIG requires a series of configuration settings in order to\n                       provide mainframe users with UNIX functions.\n\n                   \xe2\x80\xa2   Eight of the 19 mainframes did not have the correct Communication\n                       Server configuration. The Communications Server supports secure\n                       networking on an enterprise scale. Section 4.4 of the Mainframe STIG\n                       requires a series of configuration settings to enhance network security.\n\n            Failure to effectively manage the supporting infrastructure increases the risk of an\n            individual gaining unauthorized access to information assets and network\n            resources.\n\n            Baseline Comparison. SAs did not follow DoD STIGs for creating, checking,\n            and maintaining system baselines for UNIX and Windows systems. A baseline is\n            an image, record, or backup that contains a snapshot of the system after it has\n            been fully loaded with operating system files, applications, and users. Thus,\n            unauthorized changes may indicate system compromise and a baseline may\n            prevent serious damage by detecting unauthorized changes in a timely manner.\n            The IAO is responsible for verifying the system baseline and the IAM is\n            responsible for setting the overall baseline creation and maintenance policy.\n\n\n\n\n11\n      Sometimes known as Secure Socket Shell, it is a UNIX-based command interface and protocol for\n     securely accessing a remote computer.\n12\n      A utility program and protocol that allows one to connect to another computer on a network. After\n     providing a username and password to login to the remote computer, one can enter commands that will be\n     executed as if entered directly from the remote computer\xe2\x80\x99s console.\n\n\n\n                                                     42\n\x0cThe following devices did not comply with STIG requirements on baseline\ncomparison.\n\n       \xe2\x80\xa2   Eighteen of 46 UNIX systems did not compare the audit events file to\n           the baseline backup file and follow up on discrepancies. The UNIX\n           STIG (Section 10.1.1) requires that the audit event file be compared\n           against its baseline backup file and for the IAO to investigate any\n           discrepancies.\n\n       \xe2\x80\xa2   Fourteen of 29 Windows 2000 devices and 9 of 19 Windows\n           2003 devices did not have evidence that system baselines were being\n           created and reviewed by the SA and IAO. The Windows STIG\n           (Requirement 1.024) requires the SA to create, check, and maintain a\n           current system baseline for all servers and critical workstations.\n\n\n\n\n                                   43\n\x0cAppendix E. Criteria for Technical Evaluation\n    All devices from the statistical sample were compared to the following criteria to\n    determine whether each device individually met the criteria to operate in the CS\n    environment.\n\n\nConnection Approval Process\n    \xe2\x80\x9cMandatory Information Assurance Guidance, DISA Computing Services\n    Operations Policy Letter 05-09,\xe2\x80\x9d 31 August 2005.\n\n\nMainframe\n    \xe2\x80\x9cSRR Review Procedures OS/390 & z/OS TSS Checklist,\xe2\x80\x9d Version 5,\n    Release 1.1, January 2006\n\n    \xe2\x80\x9cSRR Review Procedures OS/390 & z/OS RACF Checklist,\xe2\x80\x9d Version 5,\n    Release 1.1, January 2006\n\n    \xe2\x80\x9cSRR Review Procedures OS/390 & z/OS ACF2 Checklist,\xe2\x80\x9d Version 5,\n    Release 1.1, January 2006\n\n    \xe2\x80\x9cOS/390 & z/OS Security Technical Implementation Guide,\xe2\x80\x9d Version 5,\n    Release 1, January 21, 2005\n\n\nNetwork\n    \xe2\x80\x9cNetwork Infrastructure Security Checklist,\xe2\x80\x9d Version 6, Release 4, December 23,\n    2005\n\n    \xe2\x80\x9cNetwork Infrastructure Security Technical Implementation Guide,\xe2\x80\x9d Version 6,\n    Release 4, December 16, 2005\n\n    \xe2\x80\x9cCisco IOS Router Checklist Procedures Guide,\xe2\x80\x9d December 2, 2005\n\n    \xe2\x80\x9cJuniper JUNOS Router Checklist Procedures Guide,\xe2\x80\x9d December 2, 2005\n\n\n\n\n                                        44\n\x0cUNIX\n   \xe2\x80\x9cUNIX Security Technical Implementation Guide,\xe2\x80\x9d Version 5, Release 1,\n   March 28, 2006\n\n   \xe2\x80\x9cUNIX Security Checklist,\xe2\x80\x9d Version 4, Release 4, December 15, 2005\n\n   \xe2\x80\x9cUNIX Security Technical Implementation Guide,\xe2\x80\x9d Version 4, Release 4,\n   September 15, 2003\n\n\nWindows\n   \xe2\x80\x9cWindows 2003/XP/2000 Addendum,\xe2\x80\x9d Version 5, Release 1, August 29, 2005\n\n   \xe2\x80\x9cNational Security Agency Guide to Securing Microsoft Windows XP,\xe2\x80\x9d\n   Version 1.1, December 2003\n\n   \xe2\x80\x9cMicrosoft Windows Server 2003 Security Guide,\xe2\x80\x9d November 23, 2003\n\n   \xe2\x80\x9cNational Security Agency Guide to Securing Microsoft Windows 2000 Group\n   Policy: Security Configuration Tool Set,\xe2\x80\x9d Version 1.2, December 3, 2002\n\n\n\n\n                                    45\n\x0cAppendix F. Acronyms\n       Admin LAN   Administrative Local Area Network\n       CS          Center for Computing Services\n       DAA         Designated Approving Authority\n       DECC        Defense Enterprise Computing Center\n       DISA        Defense Information Systems Agency\n       DITSCAP     Department of Defense Information Technology\n                   Security Certifications and Accreditation Process\n       FSO         Field Security Operations\n       GAO         Government Accountability Office\n       HIDS        Host-Based Intrusion Detection System\n       IA          Information Assurance\n       IACMS       Integrated Asset and Configuration Management\n                   System\n       IAM         Information Assurance Manager\n       IAO         Information Assurance Officer\n       IT          Information Technology\n       MAC         Mission Assurance Category\n       OMB         Office of Management and Budget\n       POA&M       Plan of Action and Milestones\n       SA          System Administrator\n       SLA         Service Level Agreement\n       SRR         Security Readiness Review\n       SSAA        Systems Security Authorization Agreement\n       SSO         Systems Support Office\n       STIG        Security Technical Implementation Guide\n       TMS         Trouble Management System\n       VMS         Vulnerability Management System\n\n\n\n\n                        46\n\x0cAppendix G. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense (Comptroller)/Chief Financial Officer\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAuditor General, Department of the Air Force\n\nCombatant Commands\nCommander, U.S. Joint Forces Command\n  Inspector General, U.S. Joint Forces Command\nCommander, U.S. Strategic Command\n\nOther Defense Organizations\nDirector, Defense Commissary Agency\nDirector, Defense Finance and Accounting Service\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget\nGovernment Accountability Office\n\n\n\n\n                                          47\n\x0cCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Homeland Security and Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Oversight and Government Reform\nHouse Subcommittee on Government Management, Organization, and Procurement,\n  Committee on Oversight and Government Reform\nHouse Subcommittee on National Security, and Foreign Affairs,\n  Committee on Oversight and Government Reform\n\n\n\n\n                                      48\n\x0cDefense Information Systems Agency, Chief\nInformation Officer Comments\n\n\n\n\n                      49\n\x0c50\n\x0c51\n\x0cDefense Information Systems Agency, Center for\nComputing Services Comments\n\n\n\n\n                      52\n\x0c53\n\x0c54\n\x0c55\n\x0c56\n\x0c57\n\x0cDefense Information Systems Agency, Field\nSecurity Operations Comments\n\n\n\n\n                      58\n\x0c59\n\x0cTeam Members\nThe Department of Defense Office of the Deputy Inspector General for Auditing,\nDefense Financial Auditing Service, in conjunction with contract auditors from\nErnst & Young, LLP prepared this report. Personnel of the Technical Assessment\nDirectorate and the Quantitative Methods Directorate of the Department of\nDefense Office of Inspector General also contributed to the report.\n\nPaul J. Granetto\nPatricia A. Marsh\nPatricia C. Remington\nFrank C. Sonsini\nSuzette L. Luecke\nAnh H. Tran\nMichael L. Davitt\nChanda D. Lee-Baynard\nDanial J. Olberding\nChi H. Lam\nHenry D. Barton\nKandasamy Selvavel\nMinh Q. Tran\nErnest Fine\nWen-Tswan Chen\nChristopher J. Bitakis\nAnn L. Thompson\nErika D. Boyle\n\x0c\x0c'